Ultra-Technology AS – €10,875 Fine (Norway, 2021)

A person lodged a complaint to the Norwegian DPA (Datatilsynet) for having been subject to what they felt was an unlawful credit rating by the company Ultra-Technology AS. The company claimed legal grounds for this in Article 6(1)(f) GDPR, pursuing a third party's legitimate interest. After receiving the DPA's notification of a fine, the company claimed they had other internal policies and procedures in place which would be sufficient for credit ratings. They also claimed that the intended fine was too high. The Norwegian DPA (Datatilsynet) held that Ultra-Technology AS had no legal basis as per Article 6(1)(f) GDPR to conduct the credit rating, because the legitimate interest must be based on the company's requirement and interest. Consequently, the DPA fined the company €12,785 (NOK 125,000), reduced from NOK 175,000, however only due to the long case processing time (in line with the Norwegian Privacy Appeal Board's latest decisions) and not the company's request for a reduced fine. The DPA also held that company must create a company policy and implement internal controls of their credit rating process, in line with Article 24.